Is there any way for someone to bypass file permissions on a server?
Asked by
yannick (
985
)
December 5th, 2008
By that, I mean if a particular file on a server has its permissions set to 750 (so that ‘world’ cannot read, write or execute the file), is there any way someone in that category could get around the permissions and view the file? Basically what I mean is how safe are the file permission settings? I don’t know much about FTP etc so forgive me if this is a stupid question.
Observing members:
0
Composing members:
0
7 Answers
Depends on your set up. Are there other ways to get to the files on you server other than FTP? Are there any generic FTP users that may have permissions to the file? Test it, go off-site and try to get that file, ask a computer savvy friend try to get it.
However, if the permission on the file is “no read, write, or execute”, they should not be able to get it. They may be able to see that the file exists, but it will be locked from any actions. They shouldn’t be able to download it, since they can’t ‘read’ the file.
Hope that maybe answers your question. If you want, I can test it from here if you give me your permission/want me to.
Best of luck
If the Apache process belongs to the group that owns the file, then Apache will be able to serve the file.
Is the file inside the web accessible directory? Do you know which groups Apache belongs to? Do you have command-line access to your server?
If it is inside the web directory, try pulling up that file through the browser. If you get a “forbidden” error, then Apache does not belong to the group and the file should not be accessible via the web interface unless it is included in another file through a server-side language such as PHP.
Thanks for the help guys. @rich, yes, the file is in the web directory, and when I try and access it I do get a 403. This seems to indicate that it is safe? I’m not sure I understand the last part though (‘unless it is included in another file through a server-side language such as PHP’)...
Are you using any languages like PHP, Python; .etc? If not, then it’s safe.
I did have a PHP mailing list setup but that has been removed. If I was to put a file somewhere else on the server (e.g. not in the web folder) would that make it safer/less secure?
If it’s not in the path of the web server then you are fine from the respect of trying to get to the file via the web server (i.e. via your browser). I also thought that if the web server doesn’t have permissions to use the file (read/write/exec) then even trying to include it via PHP will return an error due to file permission errors.
Although your file is already safe from public access, placing it outside of the public web folder is generally the best thing to do.
Answer this question 
This question is in the General Section. Responses must be helpful and on-topic.
Composing members:
0
